b'DOE/IG-0488\n\n\n\n\n  INSPECTION                          INSPECTION OF\n    REPORT                         SELECTED ASPECTS OF\n                               THE DEPARTMENT OF ENERGY\xe2\x80\x99S\n                                  CLASSIFIED DOCUMENT\n                                  TRANSMITTAL PROCESS\n\n\n\n\n                                     NOVEMBER 2000\n\n\n\n\n  U.S. DEPARTMENT OF ENERGY\n OFFICE OF INSPECTOR GENERAL\n     OFFICE OF INSPECTIONS\n\x0c                             U.S. DEPARTMENT OF ENERGY\n                                   Washington, DC 20585\n\n                                       November 20, 2000\n\n\n\nMEMORANDUM FOR THE SECRETARY\n\nFROM:                  Gregory H. Friedman /s/\n                       Inspector General\n\nSUBJECT:                INFORMATION: Report on \xe2\x80\x9cInspection of Selected Aspects of the\n                        Department of Energy\xe2\x80\x99s Classified Document Transmittal Process\xe2\x80\x9d\n\nBACKGROUND\n\nIn view of recent concerns regarding the security of Department of Energy (DOE) classified\ninformation, including nuclear weapons information, we initiated an inspection to determine whether\nofficials of the Department and its contractors, including officials of the National Nuclear Security\nAdministration (NNSA) and its contractors, followed the Department\xe2\x80\x99s policies and procedures\nwhen transmitting classified documents to entities outside the Department.\n\nRESULTS OF INSPECTION\n\nWe found that three DOE/NNSA laboratories sent classified documents to addresses outside the\nDepartment that were not listed in the Department\xe2\x80\x99s database of approved recipients of such\ndocuments. We reviewed a judgmental sample of classified document transmittals during calendar\nyear 1999 by selected Department Headquarters and field organizations and three Department\nlaboratories. We found that approximately 15 percent of the transmittals in our sample had been\nsent by the three laboratories to addresses that were not listed in the Department\xe2\x80\x99s database. These\ntransmittals were either made to an address other than the classified mailing address listed in the\ndatabase, or were made to facilities that were not registered in the database at the time of the\ntransmittal.\n\nThe Department\xe2\x80\x99s policy is very clear on the transmittal of classified material. Specifically, it\nprovides that classified matter shall be addressed only to approved classified addresses, and all such\naddresses must be verified through the database. When we brought this matter to the attention of the\nDirector, Office of Security and Emergency Operations, he acknowledged that the Department\xe2\x80\x99s\npolicy had been violated, but concluded that there was no compromise of classified information. We\ndid not independently confirm that no compromise took place. However, we concluded that actions\nwere required by the Department to ensure that policies and procedures relating to transmittal of\nclassified documents are precisely executed and that officials of the Department and its contractors\nare held accountable when the policies and procedures are not followed.\n\x0cMANAGEMENT REACTION\n\nManagement concurred with our findings and described corrective actions to implement our\nrecommendations. The Deputy Secretary\xe2\x80\x99s response is set out in full in Appendix B of the report.\n\nAttachment\n\ncc: Deputy Secretary\n    Under Secretary for Nuclear Security/Administrator for Nuclear Security\n    Under Secretary for Energy, Science and Environment\n    Director, Office of Security and Emergency Operations\n    Director, Office of Defense Nuclear Security\n\x0cINSPECTION OF SELECTED ASPECTS OF THE\nDEPARTMENT OF ENERGY\xe2\x80\x99S CLASSIFIED DOCUMENT\nTRANSMITTAL PROCESS\n\n\nTABLE OF\nCONTENTS\n\n\n\n              Overview\n\n              Introduction and Objective\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6. 1\n\n              Observations and Conclusions\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6. 1\n\n\n              Details of Findings\n\n              Management Alert Issued..\xe2\x80\xa6.\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.. 2\n\n              Department Action\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.. 2\n\n              Management Comments on\n               Initial Draft Report\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6 3\n\n\n              Recommendations\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6 4\n\n\n              Management and Inspector Comments\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.. 5\n\n\n              Appendices\n\n              A. Scope and Methodology\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.. 6\n\n              B. Response From Deputy Secretary\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6. 7\n\x0cOverview\nINTRODUCTION       In view of recent concerns regarding the security of Department of\nAND OBJECTIVE      Energy (DOE) classified information, including nuclear weapons\n                   information, we initiated an inspection to determine whether\n                   classified documents are being transmitted by DOE and DOE\n                   contractor personnel, including National Nuclear Security\n                   Administration (NNSA) and NNSA contractor personnel, to\n                   entities outside the Department in accordance with the\n                   Department\xe2\x80\x99s policies and procedures. Specific concerns\n                   regarding the Department\xe2\x80\x99s mailing of classified material were\n                   expressed by a member of the Senate Armed Services Committee\n                   during a June 21, 2000, hearing on security failures at the NNSA\xe2\x80\x99s\n                   Los Alamos National Laboratory (LANL).\n\nOBSERVATIONS AND   We found that the three Department laboratories included in our\nCONCLUSIONS        review did not always adhere to the Department\xe2\x80\x99s safeguards and\n                   security policies and procedures for the transmittal of classified\n                   documents to entities outside the Department. Specifically, we\n                   found that classified documents were transmitted to entities that\n                   were not listed in the Department\xe2\x80\x99s database of approved recipients\n                   of such documents. When we brought this matter to the attention\n                   of the Director, Office of Security and Emergency Operations\n                   (SO), he acknowledged that the Department\xe2\x80\x99s policy had been\n                   violated, but concluded that there was no compromise of classified\n                   information. While we did not independently confirm that no\n                   compromise took place, we believe that the Department needs to\n                   take prompt action to ensure that policies and procedures relating\n                   to transmittal of classified documents are precisely executed and\n                   that officials of the Department and its contractors are held\n                   accountable when the policies and procedures are not followed.\n\n\n\n\nPage 1                  Inspection of Selected Aspects of the Department\n                        of Energy\xe2\x80\x99s Classified Documents Transmittal Process\n\x0cDetails of Findings\nDETAILS OF            We reviewed a judgmental sample of 177 transmittals of classified\nFINDINGS              documents during calendar year 1999 by selected Department\n                      Headquarters and field organizations and three Department\n                      laboratories: the NNSA Lawrence Livermore National Laboratory\n                      (LLNL), the DOE Pacific Northwest National Laboratory (PNNL),\n                      and LANL. We found that 27 of the transmittals, or approximately\n                      15 percent of the transmittals we reviewed, were sent by the three\n                      laboratories to addresses that were not listed in the Department\xe2\x80\x99s\n                      Safeguards and Security Information Management System\n                      (SSIMS). These transmittals were either made to an address other\n                      than the classified mailing address listed in SSIMS, or were made\n                      to facilities that were not registered in SSIMS at the time of the\n                      transmittal. Although contractor access to SSIMS is limited, the\n                      Department\xe2\x80\x99s policy is very clear on the transmittal of classified\n                      material. Specifically, it provides that classified matter shall be\n                      addressed only to approved classified addresses, and all such\n                      addresses must be verified through SSIMS (DOE Manual 471.2B,\n                      \xe2\x80\x9cClassified Matter Protection and Control Manual,\xe2\x80\x9d dated\n                      January 6, 1999). By requiring the use of SSIMS to obtain\n                      approved mailing addresses for classified documents, SSIMS\n                      serves as a gatekeeper to prevent such documents from being\n                      transmitted to unapproved sources. In short, the Department\xe2\x80\x99s\n                      policy is that, if the address is not in SSIMS, the document should\n                      not be transmitted.\n\nManagement Alert      Because of the time sensitive nature of our findings, on\nIssued                May 12, 2000, we issued a Management Alert to the Office of\n                      Security Affairs (OSA) entitled \xe2\x80\x9cInspection of Classified\n                      Information Transmittals.\xe2\x80\x9d The purpose of the Management Alert\n                      was to advise OSA of preliminary findings from our review that\n                      might require immediate attention by appropriate security\n                      personnel. We provided background information on the 27\n                      classified document transmittals by the three Department\n                      laboratories that were sent to addresses that were not in SSIMS.\n                      The security classification for the transmitted documents ranged\n                      from \xe2\x80\x9cSECRET\xe2\x80\x9d to \xe2\x80\x9cSECRET RD [Restricted Data].\xe2\x80\x9d Our\n                      objective was to ensure that OSA would take appropriate action to\n                      evaluate the security of the classified matter in the transmittals and\n                      to investigate the circumstances surrounding the transmittals.\n\nDepartment Action     In a July 6, 2000, memorandum to the Office of Inspector General\n                      on this subject, the SO Director concluded that classified\n                      documents had, in fact, been transmitted in a manner inconsistent\n                      with the Department\xe2\x80\x99s policy. Nonetheless, it was the SO\n                      Director\xe2\x80\x99s conclusion that there was no compromise of classified\n                      information. We did not conduct an independent review to\n\n\n\nPage 2                                                                 Details of Findings\n\x0c                      determine whether there was a compromise of classified\n                      information in the 27 transmittals.\n\n                      In his July 6, 2000, memorandum, the SO Director stated that SO\n                      issued a May 26, 2000, memorandum to the Safeguards and\n                      Security Directors and the Lead Program Secretarial Officers\n                      reiterating the established policies and procedures regarding the\n                      verification of classified mailing addresses. The SO Director\n                      expressed the view that the root cause of the mishandling of the\n                      transmission of classified information was the limited access to\n                      SSIMS provided to the Department\xe2\x80\x99s contractors for verification of\n                      approved classified mailing addresses. The SO Director stated,\n                      however, that expanding the accessibility of SSIMS to allow\n                      contractor personnel access to the database creates a number of\n                      security-related (need-to-know) concerns. According to the SO\n                      Director, the Office of Safeguards and Security is conducting an\n                      evaluation to \xe2\x80\x9ccompare the cost of compartmentalizing the system\n                      to control need-to-know versus the benefits of the change.\xe2\x80\x9d\n\n                      Based on the results of our review, we are not convinced that the\n                      lack of contractor access to SSIMS is the root cause of the\n                      problems identified. Specifically, we found that classified\n                      document transmittals were mishandled by PNNL, which had\n                      direct access to SSIMS. Instead, we believe there was a\n                      breakdown in the execution of internal controls designed to\n                      prevent transmittal of classified documents to inappropriate\n                      recipients. The recommendations for corrective actions that follow\n                      are intended to address this problem.\n\nManagement            On August 23, 2000, we issued an initial draft report for\nComments on Initial   management comments that contained four recommendations\nDraft Report          to the SO Director for corrective actions. In comments dated\n                      September 18, 2000, the SO Director agreed with the\n                      recommendations. However, he believed that two of the four\n                      recommendations are the responsibility of the Lead Program\n                      Secretarial Offices and not SO. To ensure full implementation of\n                      the two recommendations Department-wide, we have redirected\n                      the two recommendations to the Department\xe2\x80\x99s Deputy Secretary\n                      for corrective actions.\n\n\n\n\nPage 3                                                             Details of Findings\n\x0cRECOMMENDATIONS   We recommend that the Deputy Secretary:\n\n                  1. Ensure that the Department\xe2\x80\x99s policies and procedures for the\n                     transmittal of classified material are precisely executed.\n\n                  2. Ensure that officials of the Department and its contractors are\n                     held accountable for management failures that result in the\n                     improper transmittal of classified material.\n\n                  We also recommend that the Director, Office of Security and\n                  Emergency Operations:\n\n                  3. Ensure that officials of the Department and its contractors are\n                     knowledgeable of the Department\xe2\x80\x99s policies and procedures for\n                     the transmittal of classified material.\n\n                  4. Establish a mechanism for Department contractors to obtain\n                     approval of, and to verify mailing addresses for transmittal of\n                     classified information.\n\n\n\n\nPage 4                                                          Recommendations\n\x0cMANAGEMENT   In comments dated November 14, 2000, the Deputy Secretary\nCOMMENTS     concurred with the findings in our draft report and described\n             corrective actions to be implemented in response to our\n             recommendations. Regarding recommendations 1 and 2, he said\n             that the Department will publish an award fee clause that will\n             allow the Department to withhold award fee dollars for violations\n             of security directives regarding the protection of classified\n             information. He also said that a civil penalties regulation is being\n             developed to impose civil penalties up to one hundred thousand\n             dollars for the failure to protect classified information. The\n             estimated publication date of the award fee clause and the civil\n             penalties regulation is May 31, 2001.\n\n             Regarding recommendation 3, the Deputy Secretary stated that the\n             Department will increase the level of security awareness\n             throughout the Department. He said that special publications\n             focusing on this issue are being developed and additional security\n             education resources are being allocated. The estimated completion\n             date is February 28, 2001.\n\n             Regarding recommendation 4, the Deputy Secretary said that, due\n             to the significant volumes of sensitive information in SSIMS and\n             the associated need-to-know concerns, efforts are underway in the\n             Department to modify SSIMS to provide a read only capability of\n             selected facility information. This will allow more organizations\n             to access those portions of the system relative to their specific\n             operation, without the threat of being able to modify or delete\n             information contained in the system. The estimated\n             implementation date for the revised system is December 1, 2000.\n\n             The Deputy Secretary\xe2\x80\x99s response is set out in full in Appendix B.\n\nINSPECTOR    We consider management\xe2\x80\x99s comments to be responsive.\nCOMMENTS\n\n\n\n\nPage 5                                    Management/Inspector Comments\n\x0cAppendix A\nSCOPE AND     Our inspection included interviews of Department of Energy\nMETHODOLOGY   (DOE) and DOE contractor employees, to include National\n              Nuclear Security Administration (NNSA) and NNSA contractor\n              employees, at the Department\xe2\x80\x99s Headquarters and field\n              organizations, and at three Department laboratories: the NNSA\n              Lawrence Livermore National Laboratory, the NNSA Los Alamos\n              National Laboratory, and the DOE Pacific Northwest National\n              Laboratory. We also reviewed pertinent Department policies and\n              procedures and analyzed a judgmental sample of the\n              documentation for transmittals of classified documents. Our\n              inspection was conducted in accordance with the \xe2\x80\x9cQuality\n              Standards for Inspections\xe2\x80\x9d issued by the President\xe2\x80\x99s Council on\n              Integrity and Efficiency.\n\n\n\n\nPage 6                                             Scope and Methodology\n\x0c\x0c\x0c\x0c                                                                         IG Report No. DOE/IG-0488\n\n                           CUSTOMER RESPONSE FORM\n\nThe Office of Inspector General has a continuing interest in improving the usefulness of its\nproducts. We wish to make our reports as responsive as possible to our customers\xe2\x80\x99 requirements,\nand, therefore, ask that you consider sharing your thoughts with us. On the back of this form,\nyou may suggest improvements to enhance the effectiveness of future reports. Please include\nanswers to the following questions if they are applicable to you:\n\n1. What additional background information about the selection, scheduling, scope, or\n   procedures of the inspection would have been helpful to the reader in understanding this\n   report?\n\n2. What additional information related to findings and recommendations could have been\n   included in the report to assist management in implementing corrective actions?\n\n3. What format, stylistic, or organizational changes might have made this report\xe2\x80\x99s overall\n   message more clear to the reader?\n\n4. What additional actions could the Office of Inspector General have taken on the issues\n   discussed in this report which would have been helpful?\n\n5. Please include your name and telephone number so that we may contact you should we nay\n   any questions about your comments.\n\n\nName                                          Date\n\nTelephone                                     Organization\n\n\nWhen you have completed this form, you may telefax it to the Office of Inspector General at\n(202) 586-0948, or you may mail it to:\n\n                               Office of Inspector General (IG-1)\n                                     Department of Energy\n                                    Washington, DC 20585\n\n                                  ATTN: Customer Relations\n\nIf you wish to discuss this report or your comments with a staff member of the Office of\nInspector General, please contact Wilma Slaughter at (202) 586-1924.\n\x0cThis page intentionally left blank.\n\x0cThe Office of Inspector General wants to make the distribution of its reports as customer friendly and cost\n  effective as possible. Therefore, this report will be available electronically through the Internet at the\n                                             following address:\n\n                   U.S. Department of Energy Office of Inspector General Home Page\n                                        http://www.ig.doe.gov\n\n       Your comments would be appreciated and can be provided on the Customer Response Form\n                                      attached to the report.\n\x0c'